Skip to content

folio-org/edge-lti-courses

Repository files navigation

edge-lti-courses

Copyright (C) 2018-2023 The Open Library Foundation

This software is distributed under the terms of the Apache License, Version 2.0. See the file "LICENSE" for more information.

Overview

The purpose of this edge module is to connect LMS such as Sakai and Blackboard (LTI Platforms) to Folio via the LTI Advantage protocol for the purposes of sharing the course reserves stored in Folio.

To accomplish this, this module acts as an LTI Tool Provider. It adheres to two parts of the LTI Advantage spec to accomplish this. First, security is enabled via a third-party-initiated OIDC Authentication flow ( this is a generic ). Second, the actual course reserves are requested and shown via messages using the Resource Link spec.

The general use flow is as follows:

  1. Upon navigation to the tool's page on an LMS such as Sakai (the LTI platform), the platform sends an OIDC login initiation request to the tool at a predefined URL.
  2. This request is handled in LtiCoursesHandler::handleOidcLoginInit. The request is parsed and validated.
  3. If the request is valid, it responds with an HTTP 302 Redirect to a preconfigured URL for that platform.
  4. The platform handles that redirect and bounces a request back to the tool to the tool launch endpoint with the LTI request itself.
  5. The tool parses the LTI request which contains info about which course is being viewed in the LMS. Based on that, it fetches the course and its reserves from mod-courses, renders them in HTML, and sends back the HTML.
  6. The platform takes the response and displays it in an iframe.

Configuration

Configuration is done in two ways: system properties/args/secure stores, and LTI Platform configuration.

Arguments / System Properties

Values common to Folio Edge modules are configured using the methods made available in edge-common. These handle things like the port, okapi_url, or secure_store_props. E.g., you can run the module as java -jar edge-lti-courses-fat.jar -Dokapi_url=https://okapi.folio.my-university.com .... Besides the common values defined in edge-common, this module also uses the following system properties.

Name Description Default Value
lti_tool_private_key_file File path to a PEM file containing an RSA-encoded (PKCS8) private key. The key will be used by the Edge module when signing responses. This is needed if your LTI platform creates a private key for each tool. This edge module will generate its own keys if this property is not defined.
lti_tool_public_key_file File path to a PEM file containing an RSA-encoded (X509) private key. The key will be used by the Edge module when signing responses. This is needed if your LTI platform creates a private key for each tool. This edge module will generate its own keys if this property is not defined.
oidc_ttl TTL in ms of the OIDC state cache. I.e., how long the OIDC auth handshake can take. 10000
ignore_oidc_state Never use this in production!!! This allows you to debug requests by sending requests to the /launches endpoints directly rather than negotiating an OIDC handshake. This is inherently unsafe. false
box_api_app_token A box.com API App Token that allows the edge module to rewrite links to Box.com files (eg, https://my-uni.box.com/file/12345678) to an URL that is handled by the edge module (eg, /lti-courses/download-file/f00b4r-h4sh) that are downloaded directly by the client.
download_url_ttl TTL in ms of the download URLs generated by the edge module when rewriting Box.com links 300000
port 8081 Server port to listen on 8081
okapi_url Where to find Okapi (URL) required
request_timeout_ms Request Timeout 30000
log_level Log4j Log Level INFO
token_cache_capacity Max token cache size 100
token_cache_ttl_ms How long to cache JWTs, in milliseconds (ms) 100
secure_store Type of secure store to use. Valid: Ephemeral, AwsSsm, Vault Ephemeral
secure_store_props Path to a properties file specifying secure store configuration NA

Env variables for TLS configuration for Http server

To configure Transport Layer Security (TLS) for the HTTP server in an edge module, the following configuration parameters should be used. Parameters marked as Required are required only in case when TLS for the server should be enabled.

Property Default Description
SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE NA (Required). Set the type of the keystore. Common types include JKS, PKCS12, and BCFKS
SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION NA (Required). Set the location of the keystore file in the local file system
SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD NA (Required). Set the password for the keystore
SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS NA Set the alias of the key within the keystore.
SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD NA Optional param that points to a password of KEY_ALIAS if it protected

Env variables for TLS configuration for Web Client

To configure Transport Layer Security (TLS) for Web clients in the edge module, you can use the following configuration parameters. Truststore parameters for configuring Web clients are optional even when FOLIO_CLIENT_TLS_ENABLED = true. If truststore parameters need to be populated, FOLIO_CLIENT_TLS_TRUSTSTORETYPE, FOLIO_CLIENT_TLS_TRUSTSTOREPATH and FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD are required.

Property Default Description
FOLIO_CLIENT_TLS_ENABLED false Set whether SSL/TLS is enabled for Vertx Http Server
FOLIO_CLIENT_TLS_TRUSTSTORETYPE NA Set the type of the keystore. Common types include JKS, PKCS12, and BCFKS
FOLIO_CLIENT_TLS_TRUSTSTOREPATH NA Set the location of the keystore file in the local file system
FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD NA Set the password for the keystore

LTI Platforms

LTI Advantage requires that Platforms and Tools have knowledge of one other before they can safely and effectively communicate. This Tool is configured with the platforms it should respond to via the ui-lti-courses module. More information about what is configurable can be found there, but at a minimum, this Tool needs to know the following about a platform:

  • Client ID: The ID that was generated for the Tool by the Platform.
  • Issuer: Corresponds to the iss field in a JWT sent by the Platform.
  • JWKS URL: A location where the Tool can fetch the Platform's JWKS so that it can decode the JWTs sent and signed by the Platform.
  • OIDC Authorization URL: The URL that the Tool should redirect the Platform to after handling an OIDC Login Initiation.
  • Search URL: A templated URL that the Tool will use when rendering HTML links to the course reserve items.

Code Tour

A full Code Tour that's intended for a technical audience is available here.

Security

edge-common contains a description of the security model as it relates to the apiKey. Additionally, further security is added due to LTI's use of an OIDC login flow.

apiKey

This module requires passing the apiKey as a path param, e.g., https://my-server.edu/lti-courses/launches/myApiKey. The reason for this is that many LMS expect to have exclusive use of the query params and insert a second ? in the URL, so this just ensures things are a bit less flaky.

Platform RSA Keys

The Platform's public key is fetched via a JWKS. The Platform's JWKS URL is configured using the ui-lti-courses module.

Requires Permissions

Institutional users should be granted the following permission in order to use this edge module:

  • course-reserves-storage.courselistings.reserves.collection.get
  • course-reserves-storage.courses.collection.get
  • configuration.entries.collection.get

Box.com API integration

Folio inventory items can have their "Electronic access" defined with an URL. If an item's electronic access URL is a link to a file stored on box.com (eg, https://my-uni.box.com/file/12345678), the link rendered by the edge module would normally link the user to that same box.com URL. If the user viewing the link doesn't have permissions to view the page, then the edge module can be configured so that the link rendered can instead result in the user downloading the file directly regardless of their permissions.

To enable this functionality, you need to pass in a Box.com API App Token via the box_api_app_token system property as described above. Afterwards, when responding to a LTI Request the edge module will rewrite box.com links into generated links to itself that contain a hash of the file ID. The generated link will be valid for 10 minutes by default. When a user clicks the link, the edge module will download the file directly using its box.com App Token and route the file contents to the user as a file download.

Additional Docs